You Just Got An Email From A Friend – But It Was A Phish

Email_thumb2One of the hardest types of phishing emails to defend against are those that come from the email account of a friend or trusted business associate, such as your dentist, lawyer, realtor.  The sender’s email address is not spoofed, because the malefactor has tricked them into providing their email address password.  The bad guys are actually logged into  your friend’s email account,  and now they are trying to do the same thing to you.

If you are not alert, then you will also be tricked into opening an attachment, or clicking on the provided link.  The way this exploit works is when you try to open the attachment, it doesn’t work, but instead tells you that due to an error you need to log in to your email again.  Then they will present a very realistic looking login page, and if you enter your password, it will belong to the bad guys.  Or you may open an attachment that is blurry and out of focus, but there will be a link “to view in a browser” that will take you to that fake login page.

The end game here for an email account hijacker is to find and copy emails from banks, online shopping accounts, employers, and other business partners in order to get the logins for those accounts in order to hijack them too.  Using your contact list, they will spread their exploit to all your friends and business associates, and just keep the ball rolling.  This is a variation of the “Business Email Compromise” attack we have written about before.

Defense against this threat is almost entirely in your hands.  Spam and other email filters will not catch this because it is coming from someone in your contact list, and most email systems whitelist those senders, and pass the email on unchallenged.  So what can you do?

  • Confirm all attachments, even from known sources with a phone call.
  • Look at the file type, or file extension of the attachment.  Files that end in .zip should be a concern.  Files that end in a double extension such as .pdf.html are always some sort of malicious package.
  • Check out attachments at VirusTotal.  Simply forward any questionable emails with attachments to and change the subject line to SCAN.  VirusTotal will analyze the attachment and send you a report in less than ten minutes.
  • Check out links by hovering over them without clicking.  This will open the tool tip box, and let you see where the link is really going.  If it looks weird, its best to avoid it.  Or right click and choose “copy link address” from the context menu, and paste it into the URL checker at the website.
  • Do not enable macros if an attachment asks you to do so.  This is another common way to attacker to introduce malware on your computer.
  • Use two-factor authentication for email.  This protects you if you inadvertently fall for a scam and give away your password.  Without your smartphone to receive the one-time code, the attacker will not be able to access your email account.

Just one more thing to be on guard against, I know, but these are interesting times we live in, and interesting times require clever people to do smart things in order to survive.  Be a clever person.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.